Integrated Security Model for SNMP (isms)

Last Modified: 2008-08-21

Additional information is available at tools.ietf.org/wg/isms

Chair(s):

  • Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>

    Security Area Director(s):

  • Tim Polk <tim.polk@nist.gov>
  • Pasi Eronen <pasi.eronen@nokia.com>

    Security Area Advisor:

  • Pasi Eronen <pasi.eronen@nokia.com>

    Mailing Lists:

    General Discussion: isms@ietf.org
    To Subscribe: isms-request@ietf.org
    In Body: in body: (un)subscribe
    Archive: http://www.ietf.org/mail-archive/working-groups/isms/current/maillist.html

    Description of Working Group:

    The Simple Network Management Protocol version 3 (SNMPv3) provides
    message security services through the security subsystem, for which
    there is one currently defined model - the User-based Security Model
    (USM). However, the USM approach has seen limited deployment so far.
    One frequently reported reasons is the lack of integration of USM
    key and user management into deployed authentication infrastructures.

    SSH is a widely deployed access protocol for remote devices
    configuration. Many devices support the integration of SSH user
    authentication with AAA systems via protocols such as RADIUS.

    The goal of the ISMS working group is developing a new security model
    for SNMP that integrates with widely deployed user and key management
    systems, as a supplement to the USM security model.

    For this integration the working group will define a standard method
    for mapping from AAA-provisioned authorization parameter(s) to
    corresponding SNMP parameters.

    In order to leverage the authentication information already accessible
    at managed devices, the new security model will use the SSH protocol
    for message protection, and RADIUS for AAA-provisioned user
    authentication and authorization. However, the integration of a
    transport mapping security model into the SNMPv3 architecture should be
    defined such that it is open to support potential alternative transport
    mappings to protocols such as BEEP and TLS.

    The new security model must not modify any other aspects of SNMPv3
    protocol as defined in STD 62 (e.g., it must not create new PDU types).

    Work on new access control models or centralized administration of
    View-based Access Control Model (VACM) rules and mappings is outside
    the scope of the working group.

    The working group will cover the following work items:

    - Specify an architectural extension that describes how transport
    mapping security models (TMSMs) fit into the SNMPv3 architecture.
    - Specify an architectural extension that describes how to perform a
    mapping from AAA-provisioned user-authentication and authorization
    parameter(s)to securityName and other corresponding SNMP parameters.
    - Specify a mapping from RADIUS-provisioned authentication and
    authorization parameter(s) to securityName and other corresponding
    SNMP parameters. This item may be a RADEXT work item last-aclled
    in both groups.
    - Specify a mapping from locally-provisioned authentication and
    authorization parameter(s) to securityName and other corresponding
    SNMP parameters.
    - Define how to use SSH between the two SNMP engines
    - Specify the SSH security model for SNMP.

    Goals and Milestones:

    Done  Cut-off date for internet-drafts to be submitted to the working group for consideration as a proposed solution
    Done  Decision about which architecture the WG will focus its efforts on
    Done  Initial version of a general transport mapping security models (TMSMs) document that specifies how TMSMs fit into the SNMPv3 architecture and that defines the requirements for transport mapping security models
    Done  Initial version of a document specifying the SSH security model for SNMP
    May 2007  Initial version of a document specifying the RADIUS authentication and authorization mapping model for SNMP
    Aug 2007  Submit document on Transport Security Model for SNMP to IESG
    Aug 2007  Submit document on Transport Subsystem for SNMP to IESG
    Aug 2007  Submit document on Secure Shell Transport Model for SNMP to IESG
    Aug 2007  Submit RADIUS mapping model for SNMP to IESG

    Internet-Drafts:

    Remote Authentication Dial-In User Service (RADIUS) Usage for Simple Network Management Protocol (SNMP) Transport Models (36161 bytes)

    Request For Comments:

    Secure Shell Transport Model for the Simple Network Management Protocol (SNMP) (RFC 5592) (82822 bytes)
    Transport Security Model for the Simple Network Management Protocol (SNMP) (RFC 5591) (61747 bytes)
    Transport Subsystem for the Simple Network Management Protocol (SNMP) (RFC 5590) (84513 bytes) updates RFC 3411,RFC 3412,RFC 3414,RFC 3417
    IETF Secretariat - Please send questions, comments, and/or suggestions to ietf-web@ietf.org.

    Return to working group directory.

    Return to IETF home page.